Privacy policy

Beyond Valleys Art Therapy (Beyond Valleys) ABN 14187110423 (we, us, our) is committed to providing quality products and services (collectively, Services) to clients, customers, visitors or organisations (you, your) seeking, considering, and/or engaging our Services.

We have taken measures to safeguard your privacy and data security, and this policy sets out our ongoing obligations to you with respect to how we manage your personal and sensitive information (collectively, Personal Information).

We adhere to the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (Privacy Act), which govern how we collect, use, disclose, store and dispose of your Personal Information. A copy of the Australian Privacy Principles can be found on the website of The Office of the Australian Information Commissioner at https://oaic.gov.au/.

1. Collection of Personal Information
   We collect Personal Information about you for the primary purpose of providing our Services to you, providing you with information, improving our Services, referring you from our Service to other services in your best interests, managing our relationship with you, marketing (e.g., sharing content with our mailing list subscribers), or where collecting this information is otherwise necessary for our functions or activities.
   
   We may also collect your Personal Information for secondary purposes closely related to our primary purpose in circumstances where you would reasonably expect such use or disclosure. You can unsubscribe from our mailing list at any time by contacting us in writing. Where appropriate and where possible, we will explain to you why your Personal Information is being collected at the time of collection and how we plan to use it.
   
   

2. Types of Personal Information collected
   Personal Information is information or opinion that identifies an individual. The types of Personal Information that we collect about you will depend on the nature of our interactions with you. You provide most of your Personal Information directly to us and for a specific purpose.
   
   If you are a client, the Personal Information that we collect about you may include names, contact details, gender identity, date of birth, location, and funding information where applicable.
   
   If you are a person other than a client, such as a service provider, emergency contact, or the client’s parent/legal guardian (or other authorised representative), the Personal Information that we collect from you will depend on how you are engaging with us, and may include names and contact details. We will only collect the information needed for you and/or the client that you are authorised to represent to engage with us.
   
   Other additional Personal Information that may be collected, at other times, include but is not limited to when you provide feedback to us, respond to surveys or promotions, send enquiries to us such as making a request to obtain resources, or communicate changes and preferences regarding how our Services are or will be provided to you.
   
   Sensitive information
   Personal Information collected may include sensitive information. Sensitive information is defined in the Privacy Act as information and opinions about such things as an individual’s racial or ethnic origin, cultural identity including whether you are of Aboriginal or Torres Strait Islander origin, philosophical beliefs, political opinions, religious beliefs or affiliations, payment details, criminal record, medical history, wishes regarding health care, or any other health information.
   
   Cookies and internet data
   Our web hosting platform uses cookies to identify traffic and interactions with our Website, in order to personalise and remember user data stored locally on the user’s device. Cookies do not identify individual users and we do not make any attempts to identify the individuals who use our Website. Cookies and other internet data are also typically collected by services such as Google Analytics to record and log activities on our Website and when links are shared; these data include IP address, domain name, browser type, operating system, access date and time, access to webpages, documents downloaded, search terms, link clicks, and referring website addresses.
   
   

3. How Personal Information is collected
   We will collect Personal Information directly from you where reasonable and practical. Personal information about you may be collected directly or indirectly, online or in person, in electronic or paper form, and in several ways depending on the type of information including:
   (a) Meetings, interviews, workshops, programs, and any other activities or events where you might be interacting with us and our Services;
   (b) Through our website at https://beyondvalleys.com.au/ (Website);
   (c) Through file sharing and transfers of any kind (e.g., images, artworks, documents, and other submissions);
   (d) Correspondence and communication of any kind (e.g., written, verbal, audio, video) by phone, email, SMS, or any other third-party applications or software;
   (e) By entering information on surveys or forms including our informed consent, client intake and service agreement forms;
   (f) From your website, publications, and other publicly available sources;
   (g) From information sources that you provide or make available to us in the course of receiving our Services (as a customer) or providing goods and services (as a supplier or service provider);
   (h) From cookies, internet use and services like Google Analytics; and
   (i) From third parties (e.g., your family, guardian or other health service providers) – see below.
   
   Personal Information from third parties
   To provide you with our Services, we may need to collect Personal Information from third parties. We will only do this with your consent or where it is otherwise permitted under the Privacy Act. We are permitted to collect your Personal Information from someone else without seeking your consent to prevent a serious threat to your life or safety, or that of any other person, and where it is unreasonable or impracticable to obtain your consent.
   
   In some circumstances, we may be provided with Personal Information by third parties. In such cases, we will take reasonable steps to ensure that you are aware of the information provided to us by the third party. If you provide Personal Information about someone other than yourself, you agree that you have obtained that person’s consent to provide the information for the purpose for which you provide it to us. You also agree that you have informed the person about our privacy policy and where to find it.
   
   

4. Use and disclosure
   We will generally only use or disclose your Personal Information for the main purposes for which it was collected. For example, if you are a client who has provided Personal Information to receive our art therapy services, we will generally only use your Personal Information to provide you with our art therapy services. We will only use or disclose your Personal Information for other purposes where:
   (a) You have consented;
   (b) Required or authorised by law;
   (c) The information is not sensitive information, and we use or disclose this information for purposes related to the primary purpose for which the information was collected in circumstances where you would reasonably expect such use or disclosure; or
   (d) The information is sensitive information, and we use or disclose this information for purposes directly related to the primary purpose for which the information was collected in circumstances where you would reasonably expect such use or disclosure.
   
   

5. Security and storage
   We take the security of your Personal Information seriously and have suitable physical, electronic and operational procedures in place to securely store, hold and protect your Personal Information from misuse, interference, loss and unauthorised access, modification or disclosure. For transparency, we provide a list below of third party services, applications and software that are used for our practice and business operations (collectively, Practice Technologies).
   
   In choosing which Practice Technologies were most suitable, we have rigorously researched, deliberated and chosen only to use Practice Technologies that comply and are subject to the Australian Privacy Principles in the Privacy Act, with the majority meeting industry-standard AES-256 TLS/SSL encryption for both data in transit and at rest.
   (a) Domain and Hosting Technologies: Squarespace Inc. (Website hosting), GoDaddy Inc. (domain registration);
   (b) Data Storage Technologies: Microsoft 365 (e.g., OneDrive, Outlook), Google (e.g., Gmail, Google Drive, Google Business), Adobe Scan;
   (c) Scheduling Technologies: Calendly (booking platform for phone consults); Humanitix (booking platform for group workshops);
   (d) Collaboration/Messaging Technologies: Microsoft Teams (video conferencing), Signal (messaging app);
   (e) Practice Management Technologies: Splose (practice management software including for client invoicing and records management);
   (f) Financial Technologies: Macquarie Group Limited (Macquarie Bank), Square (invoicing and POS software), Stripe (payment processing);
   (g) Accounting Technologies: Xero (accounting software);
   (h) Social Media Technologies (professional networking and marketing purposes only): Facebook, Instagram, LinkedIn;
   (i) And any other services, applications and software used for our practice and business operations.
   
   Personal Information may additionally be stored on devices operated by contractors and/or staff at Beyond Valleys, and in physical form including in files and on printed paper. To allow faster access to records, and to reduce the expense of long-term physical storage of records, it is our policy to store all records in electronic format wherever possible. We may store records electronically via imaging, scanning, filming or other technology used for the storage of documentation.
   
   Most Personal Information is or will be stored in client files. If you are an adult, such records will be kept by us for a minimum of 7 years following the date of last contact as per our regulatory obligations. If you are under 18 years old, such records are to be kept until you reach the age of 25. We may not retain and have no obligation to retain any original or electronic documents for any period of time beyond the minimum duration as per our regulatory requirements.
   
   Data removal and deletion procedures
   When your Personal Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify your Personal Information according to relevant state and national laws. Procedures for data removal and deletion include identifying any digital records relating to you, and deleting or personally de-identifying them across all our Practice Technologies. We will also identify any physical records relating to you and shred them onsite or destroy them in a way that ensures you cannot be identified.
   
   

6. Accessing your Personal Information
   You may access, update and/or correct the Personal Information that we hold about you, subject to certain exceptions. If you wish to access your Personal Information, please contact us in writing at support@beyondvalleys.com.au
   
   Beyond Valleys will not charge any fee for your access request, but may charge a reasonable administrative fee for providing a copy of your Personal Information. In order to protect your Personal Information we may require identification from you before releasing the requested information. Beyond Valleys also reserves the right to refuse access or correction on reasonable grounds, such as if providing access would be unlawful or would compromise the privacy of another person.
   
   

7. Maintaining the quality of your Personal Information
   We will take reasonable steps to ensure that your Personal Information is accurate, complete and up-to-date. If any information that we hold is incorrect, inaccurate or out of date, please advise us as soon as practicable so we can update our records and ensure that we can continue to provide quality Services to you.
   
   

8. Links to external websites
   Our privacy policy applies only to your direct use of our Website, Services, and any other documents, resources or data collection methods that we have designed, created and/or are using in providing our Services (collectively, Properties). Such Properties are often identifiable by our logo, branding or visual identifiers that distinguish content as belonging to Beyond Valleys.
   
   Our Properties may contain embedded links to external websites for the purposes of providing additional context or related information, but we do not disclose your Personal Information to those operating linked websites and are not responsible for their privacy practices. Links to external websites do not imply our endorsement of the materials, content or policies on those websites. Please read the privacy policies of each website you visit to determine if and how information is collected about you.
   
   

9. Enquiries and complaints
   If you have any questions or complaints about our privacy policy, please contact us in writing at:
   
   ATT: Amanda Ng (Beyond Valleys Art Therapy)
   Habitat 1, Level 1, 177-179 Maroondah Hwy, Healesville VIC 3777 (mail only address)
   support@beyondvalleys.com.au
   +61 404 324 584
   
   We endeavour to respond to general enquiry questions within a reasonable period of 3-5 business days, and to complaints, access and correction requests within 15-30 business days depending on the complexity of the request. Please understand that we are a small practice with limited resources. We will do our best to respond to you as soon as humanly possible. If you are not satisfied with our response, you may refer matters to The Office of the Australian Information Commissioner at https://oaic.gov.au/.
   
   

10. Policy updates
    We reserve the right to update this policy at any time at our sole discretion. Any changes will be effective immediately upon the posting of the revised policy.
    

    
    Last updated: 26/04/2025